ClickFix Attack Uses DNS Hijacking to Deploy Malware

ClickFix Attack Uses DNS Hijacking to Deploy Malware

Posted on By CWS

A novel variant of the ClickFix social engineering campaign is now leveraging a custom DNS hijacking tactic to propagate malware. This sophisticated attack exploits DNS queries to execute further infection stages, effectively evading conventional detection mechanisms by blending into standard network operations.

How ClickFix Attacks Deceive Users

ClickFix attacks employ deception through fake error alerts, such as counterfeit CAPTCHA challenges or misleading ‘fix this issue’ prompts on compromised web pages. These tactics manipulate users into copying a specific script to their clipboard and executing it via basic system dialogs like the Run command or PowerShell.

While earlier versions like CrashFix used fake browser crashes to create urgency, the latest iteration employs an advanced evasion technique involving the Domain Name System (DNS). This method facilitates the attack’s stealth and efficacy.

The Technical Evade Strategy

Upon execution of the initial harmful command, the script uses cmd.exe to perform a DNS lookup directed at an attacker-controlled server, bypassing the system’s usual internet resolver. The script analyzes this DNS response, specifically extracting data from the Name: field, which contains the code for the subsequent payload stage.

This innovative approach transforms DNS into a lightweight staging environment, enabling attackers to verify target activity before deploying more substantial malware components. Given the ubiquitous nature of DNS traffic in networks, this method effectively conceals malicious actions.

Infection Process and Impact

Microsoft Defender researchers have noted that following the DNS-triggered second stage, the attack sequence downloads a ZIP archive with a portable Python setup. The malicious Python script executes to perform host and domain reconnaissance, ensuring continued access by deploying a VBScript and establishing a shortcut named MonitoringService.lnk in the Windows Startup directory.

The campaign’s final payload is a Remote Access Trojan (RAT) known as ModeloRAT, which is detected and neutralized by Microsoft Defender Antivirus under the threat signature Trojan:Win32/ClickFix.R!ml. This threat highlights the importance of robust cybersecurity measures to counter evolving attack strategies.

Stay updated on the latest cybersecurity news by following us on Google News, LinkedIn, and X. Reach out to feature your stories.

Cyber Security News Tags:, , , , , , , , ,

Related Posts

Critical Vulnerability In Chromium’s Blink Let Attackers Crash Chromium-based Browsers Within Seconds Critical Vulnerability In Chromium’s Blink Let Attackers Crash Chromium-based Browsers Within Seconds Cyber Security News
ToxicPanda Android Banking Malware Infected 4500+ Devices to Steal Banking Credentials ToxicPanda Android Banking Malware Infected 4500+ Devices to Steal Banking Credentials Cyber Security News
New Phishing Attack Targeting Meta Business Suite Users to Steal Login Credentials New Phishing Attack Targeting Meta Business Suite Users to Steal Login Credentials Cyber Security News
Top 10 Best Brand Protection Solutions For Enterprises in 2025 Top 10 Best Brand Protection Solutions For Enterprises in 2025 Cyber Security News
Post-Quantum Cryptography What CISOs Need to Know Post-Quantum Cryptography What CISOs Need to Know Cyber Security News
Record-breaking 11.5 Tbps UDP Flood DDoS Attack Originated from Google Cloud Platform Record-breaking 11.5 Tbps UDP Flood DDoS Attack Originated from Google Cloud Platform Cyber Security News